diff options
author | Schanzenbach, Martin <mschanzenbach@posteo.de> | 2019-04-27 21:01:13 +0200 |
---|---|---|
committer | Schanzenbach, Martin <mschanzenbach@posteo.de> | 2019-04-27 21:01:13 +0200 |
commit | f7e0dfea0966f0ae9a4185206885d3a61895b759 (patch) | |
tree | eeeba47f96972b3e619cd038f488f0639062977d /src/reclaim | |
parent | 7f50a089e5308bc7691704683dea805258f6c0b2 (diff) | |
download | gnunet-f7e0dfea0966f0ae9a4185206885d3a61895b759.tar.gz gnunet-f7e0dfea0966f0ae9a4185206885d3a61895b759.zip |
RECLAIM/OIDC: encrypt authorizaion code payload
Diffstat (limited to 'src/reclaim')
-rw-r--r-- | src/reclaim/oidc_helper.c | 160 | ||||
-rw-r--r-- | src/reclaim/oidc_helper.h | 4 | ||||
-rw-r--r-- | src/reclaim/plugin_rest_openid_connect.c | 52 |
3 files changed, 167 insertions, 49 deletions
diff --git a/src/reclaim/oidc_helper.c b/src/reclaim/oidc_helper.c index 56a4b17a4..89e0920f0 100644 --- a/src/reclaim/oidc_helper.c +++ b/src/reclaim/oidc_helper.c | |||
@@ -292,6 +292,86 @@ base64_encode (const char *data, size_t data_size) | |||
292 | } | 292 | } |
293 | 293 | ||
294 | 294 | ||
295 | static void | ||
296 | derive_aes_key (struct GNUNET_CRYPTO_SymmetricSessionKey *key, | ||
297 | struct GNUNET_CRYPTO_SymmetricInitializationVector *iv, | ||
298 | struct GNUNET_HashCode *key_material) | ||
299 | { | ||
300 | static const char ctx_key[] = "reclaim-aes-ctx-key"; | ||
301 | static const char ctx_iv[] = "reclaim-aes-ctx-iv"; | ||
302 | GNUNET_CRYPTO_kdf (key, | ||
303 | sizeof (struct GNUNET_CRYPTO_SymmetricSessionKey), | ||
304 | ctx_key, | ||
305 | strlen (ctx_key), | ||
306 | &key_material, | ||
307 | sizeof (key_material), | ||
308 | NULL); | ||
309 | GNUNET_CRYPTO_kdf (iv, | ||
310 | sizeof ( | ||
311 | struct GNUNET_CRYPTO_SymmetricInitializationVector), | ||
312 | ctx_iv, | ||
313 | strlen (ctx_iv), | ||
314 | &key_material, | ||
315 | sizeof (key_material), | ||
316 | NULL); | ||
317 | } | ||
318 | |||
319 | |||
320 | static void | ||
321 | calculate_key_priv (struct GNUNET_CRYPTO_SymmetricSessionKey *key, | ||
322 | struct GNUNET_CRYPTO_SymmetricInitializationVector *iv, | ||
323 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *ecdsa_priv, | ||
324 | const struct GNUNET_CRYPTO_EcdhePublicKey *ecdh_pub) | ||
325 | { | ||
326 | struct GNUNET_HashCode key_material; | ||
327 | GNUNET_CRYPTO_ecdsa_ecdh (ecdsa_priv, ecdh_pub, &key_material); | ||
328 | derive_aes_key (key, iv, &key_material); | ||
329 | } | ||
330 | |||
331 | |||
332 | static void | ||
333 | calculate_key_pub (struct GNUNET_CRYPTO_SymmetricSessionKey *key, | ||
334 | struct GNUNET_CRYPTO_SymmetricInitializationVector *iv, | ||
335 | const struct GNUNET_CRYPTO_EcdsaPublicKey *ecdsa_pub, | ||
336 | const struct GNUNET_CRYPTO_EcdhePrivateKey *ecdh_priv) | ||
337 | { | ||
338 | struct GNUNET_HashCode key_material; | ||
339 | GNUNET_CRYPTO_ecdh_ecdsa (ecdh_priv, ecdsa_pub, &key_material); | ||
340 | derive_aes_key (key, iv, &key_material); | ||
341 | } | ||
342 | |||
343 | |||
344 | static void | ||
345 | decrypt_payload (const struct GNUNET_CRYPTO_EcdsaPrivateKey *ecdsa_priv, | ||
346 | const struct GNUNET_CRYPTO_EcdhePublicKey *ecdh_pub, | ||
347 | const char *ct, | ||
348 | size_t ct_len, | ||
349 | char *buf) | ||
350 | { | ||
351 | struct GNUNET_CRYPTO_SymmetricSessionKey key; | ||
352 | struct GNUNET_CRYPTO_SymmetricInitializationVector iv; | ||
353 | |||
354 | calculate_key_priv (&key, &iv, ecdsa_priv, ecdh_pub); | ||
355 | GNUNET_break (GNUNET_CRYPTO_symmetric_decrypt (ct, ct_len, &key, &iv, buf)); | ||
356 | } | ||
357 | |||
358 | |||
359 | static void | ||
360 | encrypt_payload (const struct GNUNET_CRYPTO_EcdsaPublicKey *ecdsa_pub, | ||
361 | const struct GNUNET_CRYPTO_EcdhePrivateKey *ecdh_priv, | ||
362 | const char *payload, | ||
363 | size_t payload_len, | ||
364 | char *buf) | ||
365 | { | ||
366 | struct GNUNET_CRYPTO_SymmetricSessionKey key; | ||
367 | struct GNUNET_CRYPTO_SymmetricInitializationVector iv; | ||
368 | |||
369 | calculate_key_pub (&key, &iv, ecdsa_pub, ecdh_priv); | ||
370 | GNUNET_break ( | ||
371 | GNUNET_CRYPTO_symmetric_encrypt (payload, payload_len, &key, &iv, buf)); | ||
372 | } | ||
373 | |||
374 | |||
295 | /** | 375 | /** |
296 | * Builds an OIDC authorization code including | 376 | * Builds an OIDC authorization code including |
297 | * a reclaim ticket and nonce | 377 | * a reclaim ticket and nonce |
@@ -309,6 +389,7 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, | |||
309 | const char *nonce_str) | 389 | const char *nonce_str) |
310 | { | 390 | { |
311 | char *code_payload; | 391 | char *code_payload; |
392 | char *plaintext; | ||
312 | char *attrs_ser; | 393 | char *attrs_ser; |
313 | char *code_str; | 394 | char *code_str; |
314 | char *buf_ptr; | 395 | char *buf_ptr; |
@@ -318,6 +399,8 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, | |||
318 | uint32_t nonce; | 399 | uint32_t nonce; |
319 | uint32_t nonce_tmp; | 400 | uint32_t nonce_tmp; |
320 | struct GNUNET_CRYPTO_EccSignaturePurpose *purpose; | 401 | struct GNUNET_CRYPTO_EccSignaturePurpose *purpose; |
402 | struct GNUNET_CRYPTO_EcdhePrivateKey *ecdh_priv; | ||
403 | struct GNUNET_CRYPTO_EcdhePublicKey ecdh_pub; | ||
321 | 404 | ||
322 | attrs_ser = NULL; | 405 | attrs_ser = NULL; |
323 | signature_payload_len = | 406 | signature_payload_len = |
@@ -333,19 +416,15 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, | |||
333 | GNUNET_RECLAIM_ATTRIBUTE_list_serialize (attrs, attrs_ser); | 416 | GNUNET_RECLAIM_ATTRIBUTE_list_serialize (attrs, attrs_ser); |
334 | } | 417 | } |
335 | code_payload_len = sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + | 418 | code_payload_len = sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + |
419 | sizeof (struct GNUNET_CRYPTO_EcdhePublicKey) + | ||
336 | signature_payload_len + | 420 | signature_payload_len + |
337 | sizeof (struct GNUNET_CRYPTO_EcdsaSignature); | 421 | sizeof (struct GNUNET_CRYPTO_EcdsaSignature); |
338 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, | 422 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, |
339 | "Length of data to encode: %lu\n", | 423 | "Length of data to encode: %lu\n", |
340 | code_payload_len); | 424 | code_payload_len); |
341 | code_payload = GNUNET_malloc (code_payload_len); | 425 | plaintext = GNUNET_malloc (signature_payload_len); |
342 | GNUNET_assert (NULL != code_payload); | ||
343 | purpose = (struct GNUNET_CRYPTO_EccSignaturePurpose *) code_payload; | ||
344 | purpose->size = htonl (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + | ||
345 | signature_payload_len); | ||
346 | purpose->purpose = htonl (GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN); | ||
347 | // First, copy ticket | 426 | // First, copy ticket |
348 | buf_ptr = (char *) &purpose[1]; | 427 | buf_ptr = plaintext; |
349 | memcpy (buf_ptr, ticket, sizeof (struct GNUNET_RECLAIM_Ticket)); | 428 | memcpy (buf_ptr, ticket, sizeof (struct GNUNET_RECLAIM_Ticket)); |
350 | buf_ptr += sizeof (struct GNUNET_RECLAIM_Ticket); | 429 | buf_ptr += sizeof (struct GNUNET_RECLAIM_Ticket); |
351 | // Then copy nonce | 430 | // Then copy nonce |
@@ -356,12 +435,14 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, | |||
356 | { | 435 | { |
357 | GNUNET_break (0); | 436 | GNUNET_break (0); |
358 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Invalid nonce %s\n", nonce_str); | 437 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Invalid nonce %s\n", nonce_str); |
359 | GNUNET_free (code_payload); | 438 | GNUNET_free (plaintext); |
360 | GNUNET_free_non_null (attrs_ser); | 439 | GNUNET_free_non_null (attrs_ser); |
361 | return NULL; | 440 | return NULL; |
362 | } | 441 | } |
363 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, | 442 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, |
364 | "Got nonce: %u from %s\n", nonce, nonce_str); | 443 | "Got nonce: %u from %s\n", |
444 | nonce, | ||
445 | nonce_str); | ||
365 | } | 446 | } |
366 | nonce_tmp = htonl (nonce); | 447 | nonce_tmp = htonl (nonce); |
367 | memcpy (buf_ptr, &nonce_tmp, sizeof (uint32_t)); | 448 | memcpy (buf_ptr, &nonce_tmp, sizeof (uint32_t)); |
@@ -371,7 +452,32 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, | |||
371 | { | 452 | { |
372 | memcpy (buf_ptr, attrs_ser, attr_list_len); | 453 | memcpy (buf_ptr, attrs_ser, attr_list_len); |
373 | buf_ptr += attr_list_len; | 454 | buf_ptr += attr_list_len; |
455 | GNUNET_free (attrs_ser); | ||
374 | } | 456 | } |
457 | // Generate ECDH key | ||
458 | ecdh_priv = GNUNET_CRYPTO_ecdhe_key_create (); | ||
459 | GNUNET_CRYPTO_ecdhe_key_get_public (ecdh_priv, &ecdh_pub); | ||
460 | // Initialize code payload | ||
461 | code_payload = GNUNET_malloc (code_payload_len); | ||
462 | GNUNET_assert (NULL != code_payload); | ||
463 | purpose = (struct GNUNET_CRYPTO_EccSignaturePurpose *) code_payload; | ||
464 | purpose->size = htonl (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + | ||
465 | sizeof (ecdh_pub) + signature_payload_len); | ||
466 | purpose->purpose = htonl (GNUNET_SIGNATURE_PURPOSE_RECLAIM_CODE_SIGN); | ||
467 | // Store pubkey | ||
468 | buf_ptr = (char *) &purpose[1]; | ||
469 | memcpy (buf_ptr, &ecdh_pub, sizeof (ecdh_pub)); | ||
470 | buf_ptr += sizeof (ecdh_pub); | ||
471 | // Encrypt plaintext and store | ||
472 | encrypt_payload (&ticket->audience, | ||
473 | ecdh_priv, | ||
474 | plaintext, | ||
475 | signature_payload_len, | ||
476 | buf_ptr); | ||
477 | GNUNET_free (ecdh_priv); | ||
478 | GNUNET_free (plaintext); | ||
479 | buf_ptr += signature_payload_len; | ||
480 | // Sign and store signature | ||
375 | if (GNUNET_SYSERR == | 481 | if (GNUNET_SYSERR == |
376 | GNUNET_CRYPTO_ecdsa_sign (issuer, | 482 | GNUNET_CRYPTO_ecdsa_sign (issuer, |
377 | purpose, | 483 | purpose, |
@@ -381,12 +487,10 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, | |||
381 | GNUNET_break (0); | 487 | GNUNET_break (0); |
382 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Unable to sign code\n"); | 488 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Unable to sign code\n"); |
383 | GNUNET_free (code_payload); | 489 | GNUNET_free (code_payload); |
384 | GNUNET_free_non_null (attrs_ser); | ||
385 | return NULL; | 490 | return NULL; |
386 | } | 491 | } |
387 | code_str = base64_encode (code_payload, code_payload_len); | 492 | code_str = base64_encode (code_payload, code_payload_len); |
388 | GNUNET_free (code_payload); | 493 | GNUNET_free (code_payload); |
389 | GNUNET_free_non_null (attrs_ser); | ||
390 | return code_str; | 494 | return code_str; |
391 | } | 495 | } |
392 | 496 | ||
@@ -404,7 +508,7 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, | |||
404 | * @return GNUNET_OK if successful, else GNUNET_SYSERR | 508 | * @return GNUNET_OK if successful, else GNUNET_SYSERR |
405 | */ | 509 | */ |
406 | int | 510 | int |
407 | OIDC_parse_authz_code (const struct GNUNET_CRYPTO_EcdsaPublicKey *audience, | 511 | OIDC_parse_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *ecdsa_priv, |
408 | const char *code, | 512 | const char *code, |
409 | struct GNUNET_RECLAIM_Ticket *ticket, | 513 | struct GNUNET_RECLAIM_Ticket *ticket, |
410 | struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList **attrs, | 514 | struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList **attrs, |
@@ -412,19 +516,23 @@ OIDC_parse_authz_code (const struct GNUNET_CRYPTO_EcdsaPublicKey *audience, | |||
412 | { | 516 | { |
413 | char *code_payload; | 517 | char *code_payload; |
414 | char *ptr; | 518 | char *ptr; |
519 | char *plaintext; | ||
415 | struct GNUNET_CRYPTO_EccSignaturePurpose *purpose; | 520 | struct GNUNET_CRYPTO_EccSignaturePurpose *purpose; |
416 | struct GNUNET_CRYPTO_EcdsaSignature *signature; | 521 | struct GNUNET_CRYPTO_EcdsaSignature *signature; |
522 | struct GNUNET_CRYPTO_EcdsaPublicKey ecdsa_pub; | ||
523 | struct GNUNET_CRYPTO_EcdhePublicKey *ecdh_pub; | ||
417 | size_t code_payload_len; | 524 | size_t code_payload_len; |
418 | size_t attrs_ser_len; | 525 | size_t attrs_ser_len; |
419 | size_t signature_offset; | 526 | size_t signature_offset; |
527 | size_t plaintext_len; | ||
420 | uint32_t nonce = 0; | 528 | uint32_t nonce = 0; |
421 | 529 | ||
422 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Trying to decode `%s'\n", code); | 530 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Trying to decode `%s'\n", code); |
423 | code_payload = NULL; | 531 | code_payload = NULL; |
424 | code_payload_len = | 532 | code_payload_len = |
425 | GNUNET_STRINGS_base64_decode (code, strlen (code), (void **) &code_payload); | 533 | GNUNET_STRINGS_base64_decode (code, strlen (code), (void **) &code_payload); |
426 | |||
427 | if (code_payload_len < sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + | 534 | if (code_payload_len < sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) + |
535 | sizeof (struct GNUNET_CRYPTO_EcdhePublicKey) + | ||
428 | sizeof (struct GNUNET_RECLAIM_Ticket) + | 536 | sizeof (struct GNUNET_RECLAIM_Ticket) + |
429 | sizeof (uint32_t) + | 537 | sizeof (uint32_t) + |
430 | sizeof (struct GNUNET_CRYPTO_EcdsaSignature)) | 538 | sizeof (struct GNUNET_CRYPTO_EcdsaSignature)) |
@@ -438,24 +546,39 @@ OIDC_parse_authz_code (const struct GNUNET_CRYPTO_EcdsaPublicKey *audience, | |||
438 | attrs_ser_len = code_payload_len; | 546 | attrs_ser_len = code_payload_len; |
439 | attrs_ser_len -= sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose); | 547 | attrs_ser_len -= sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose); |
440 | ptr = (char *) &purpose[1]; | 548 | ptr = (char *) &purpose[1]; |
549 | // Public ECDH key | ||
550 | ecdh_pub = (struct GNUNET_CRYPTO_EcdhePublicKey *) ptr; | ||
551 | ptr += sizeof (struct GNUNET_CRYPTO_EcdhePublicKey); | ||
552 | attrs_ser_len -= sizeof (struct GNUNET_CRYPTO_EcdhePublicKey); | ||
553 | |||
554 | // Decrypt ciphertext | ||
555 | plaintext_len = attrs_ser_len - sizeof (struct GNUNET_CRYPTO_EcdsaSignature); | ||
556 | plaintext = GNUNET_malloc (plaintext_len); | ||
557 | decrypt_payload (ecdsa_priv, ecdh_pub, ptr, plaintext_len, plaintext); | ||
558 | ptr = plaintext; | ||
559 | // Ticket | ||
441 | *ticket = *((struct GNUNET_RECLAIM_Ticket *) ptr); | 560 | *ticket = *((struct GNUNET_RECLAIM_Ticket *) ptr); |
442 | attrs_ser_len -= sizeof (struct GNUNET_RECLAIM_Ticket); | 561 | attrs_ser_len -= sizeof (struct GNUNET_RECLAIM_Ticket); |
443 | ptr += sizeof (struct GNUNET_RECLAIM_Ticket); | 562 | ptr += sizeof (struct GNUNET_RECLAIM_Ticket); |
563 | // Nonce | ||
444 | nonce = ntohl (*((uint32_t *) ptr)); | 564 | nonce = ntohl (*((uint32_t *) ptr)); |
445 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, | 565 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Got nonce: %u\n", nonce); |
446 | "Got nonce: %u\n", nonce); | ||
447 | attrs_ser_len -= sizeof (uint32_t); | 566 | attrs_ser_len -= sizeof (uint32_t); |
448 | ptr += sizeof (uint32_t); | 567 | ptr += sizeof (uint32_t); |
568 | // Attributes | ||
449 | attrs_ser_len -= sizeof (struct GNUNET_CRYPTO_EcdsaSignature); | 569 | attrs_ser_len -= sizeof (struct GNUNET_CRYPTO_EcdsaSignature); |
450 | *attrs = GNUNET_RECLAIM_ATTRIBUTE_list_deserialize (ptr, attrs_ser_len); | 570 | *attrs = GNUNET_RECLAIM_ATTRIBUTE_list_deserialize (ptr, attrs_ser_len); |
571 | // Signature | ||
451 | signature_offset = | 572 | signature_offset = |
452 | code_payload_len - sizeof (struct GNUNET_CRYPTO_EcdsaSignature); | 573 | code_payload_len - sizeof (struct GNUNET_CRYPTO_EcdsaSignature); |
453 | signature = | 574 | signature = |
454 | (struct GNUNET_CRYPTO_EcdsaSignature *) &code_payload[signature_offset]; | 575 | (struct GNUNET_CRYPTO_EcdsaSignature *) &code_payload[signature_offset]; |
455 | if (0 != GNUNET_memcmp (audience, &ticket->audience)) | 576 | GNUNET_CRYPTO_ecdsa_key_get_public (ecdsa_priv, &ecdsa_pub); |
577 | if (0 != GNUNET_memcmp (&ecdsa_pub, &ticket->audience)) | ||
456 | { | 578 | { |
457 | GNUNET_RECLAIM_ATTRIBUTE_list_destroy (*attrs); | 579 | GNUNET_RECLAIM_ATTRIBUTE_list_destroy (*attrs); |
458 | GNUNET_free (code_payload); | 580 | GNUNET_free (code_payload); |
581 | GNUNET_free (plaintext); | ||
459 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | 582 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, |
460 | "Audience in ticket does not match client!\n"); | 583 | "Audience in ticket does not match client!\n"); |
461 | return GNUNET_SYSERR; | 584 | return GNUNET_SYSERR; |
@@ -468,12 +591,15 @@ OIDC_parse_authz_code (const struct GNUNET_CRYPTO_EcdsaPublicKey *audience, | |||
468 | { | 591 | { |
469 | GNUNET_RECLAIM_ATTRIBUTE_list_destroy (*attrs); | 592 | GNUNET_RECLAIM_ATTRIBUTE_list_destroy (*attrs); |
470 | GNUNET_free (code_payload); | 593 | GNUNET_free (code_payload); |
594 | GNUNET_free (plaintext); | ||
471 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Signature of AuthZ code invalid!\n"); | 595 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Signature of AuthZ code invalid!\n"); |
472 | return GNUNET_SYSERR; | 596 | return GNUNET_SYSERR; |
473 | } | 597 | } |
474 | *nonce_str = NULL; | 598 | *nonce_str = NULL; |
475 | if (nonce != 0) | 599 | if (nonce != 0) |
476 | GNUNET_asprintf (nonce_str, "%u", nonce); | 600 | GNUNET_asprintf (nonce_str, "%u", nonce); |
601 | GNUNET_free (code_payload); | ||
602 | GNUNET_free (plaintext); | ||
477 | return GNUNET_OK; | 603 | return GNUNET_OK; |
478 | } | 604 | } |
479 | 605 | ||
diff --git a/src/reclaim/oidc_helper.h b/src/reclaim/oidc_helper.h index 3c57dc235..6fe1721d3 100644 --- a/src/reclaim/oidc_helper.h +++ b/src/reclaim/oidc_helper.h | |||
@@ -77,7 +77,7 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, | |||
77 | * authorization code. | 77 | * authorization code. |
78 | * This also verifies the signature in the code. | 78 | * This also verifies the signature in the code. |
79 | * | 79 | * |
80 | * @param audience the expected audience of the code | 80 | * @param ecdsa_priv the audience of the ticket |
81 | * @param code the string representation of the code | 81 | * @param code the string representation of the code |
82 | * @param ticket where to store the ticket | 82 | * @param ticket where to store the ticket |
83 | * @param attrs the attributes found in the code | 83 | * @param attrs the attributes found in the code |
@@ -85,7 +85,7 @@ OIDC_build_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *issuer, | |||
85 | * @return GNUNET_OK if successful, else GNUNET_SYSERR | 85 | * @return GNUNET_OK if successful, else GNUNET_SYSERR |
86 | */ | 86 | */ |
87 | int | 87 | int |
88 | OIDC_parse_authz_code (const struct GNUNET_CRYPTO_EcdsaPublicKey *audience, | 88 | OIDC_parse_authz_code (const struct GNUNET_CRYPTO_EcdsaPrivateKey *ecdsa_priv, |
89 | const char* code, | 89 | const char* code, |
90 | struct GNUNET_RECLAIM_Ticket *ticket, | 90 | struct GNUNET_RECLAIM_Ticket *ticket, |
91 | struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList **attrs, | 91 | struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList **attrs, |
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c index 0ef621536..753c3fcae 100644 --- a/src/reclaim/plugin_rest_openid_connect.c +++ b/src/reclaim/plugin_rest_openid_connect.c | |||
@@ -1600,9 +1600,9 @@ check_authorization (struct RequestHandle *handle, | |||
1600 | return GNUNET_OK; | 1600 | return GNUNET_OK; |
1601 | } | 1601 | } |
1602 | 1602 | ||
1603 | static int | 1603 | const struct EgoEntry * |
1604 | ego_exists (struct RequestHandle *handle, | 1604 | find_ego (struct RequestHandle *handle, |
1605 | struct GNUNET_CRYPTO_EcdsaPublicKey *test_key) | 1605 | struct GNUNET_CRYPTO_EcdsaPublicKey *test_key) |
1606 | { | 1606 | { |
1607 | struct EgoEntry *ego_entry; | 1607 | struct EgoEntry *ego_entry; |
1608 | struct GNUNET_CRYPTO_EcdsaPublicKey pub_key; | 1608 | struct GNUNET_CRYPTO_EcdsaPublicKey pub_key; |
@@ -1612,11 +1612,9 @@ ego_exists (struct RequestHandle *handle, | |||
1612 | { | 1612 | { |
1613 | GNUNET_IDENTITY_ego_get_public_key (ego_entry->ego, &pub_key); | 1613 | GNUNET_IDENTITY_ego_get_public_key (ego_entry->ego, &pub_key); |
1614 | if (0 == GNUNET_memcmp (&pub_key, test_key)) | 1614 | if (0 == GNUNET_memcmp (&pub_key, test_key)) |
1615 | break; | 1615 | return ego_entry; |
1616 | } | 1616 | } |
1617 | if (NULL == ego_entry) | 1617 | return NULL; |
1618 | return GNUNET_NO; | ||
1619 | return GNUNET_YES; | ||
1620 | } | 1618 | } |
1621 | 1619 | ||
1622 | static void | 1620 | static void |
@@ -1650,10 +1648,12 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1650 | void *cls) | 1648 | void *cls) |
1651 | { | 1649 | { |
1652 | struct RequestHandle *handle = cls; | 1650 | struct RequestHandle *handle = cls; |
1651 | const struct EgoEntry *ego_entry; | ||
1653 | struct GNUNET_TIME_Relative expiration_time; | 1652 | struct GNUNET_TIME_Relative expiration_time; |
1654 | struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *cl; | 1653 | struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList *cl; |
1655 | struct GNUNET_RECLAIM_Ticket ticket; | 1654 | struct GNUNET_RECLAIM_Ticket ticket; |
1656 | struct GNUNET_CRYPTO_EcdsaPublicKey cid; | 1655 | struct GNUNET_CRYPTO_EcdsaPublicKey cid; |
1656 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *privkey; | ||
1657 | struct GNUNET_HashCode cache_key; | 1657 | struct GNUNET_HashCode cache_key; |
1658 | struct MHD_Response *resp; | 1658 | struct MHD_Response *resp; |
1659 | char *grant_type; | 1659 | char *grant_type; |
@@ -1713,9 +1713,17 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1713 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 1713 | GNUNET_SCHEDULER_add_now (&do_error, handle); |
1714 | return; | 1714 | return; |
1715 | } | 1715 | } |
1716 | 1716 | ego_entry = find_ego (handle, &cid); | |
1717 | if (NULL == ego_entry) | ||
1718 | { | ||
1719 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST); | ||
1720 | handle->edesc = GNUNET_strdup ("Unknown client"); | ||
1721 | handle->response_code = MHD_HTTP_BAD_REQUEST; | ||
1722 | GNUNET_SCHEDULER_add_now (&do_error, handle); | ||
1723 | } | ||
1724 | privkey = GNUNET_IDENTITY_ego_get_private_key (ego_entry->ego); | ||
1717 | // decode code | 1725 | // decode code |
1718 | if (GNUNET_OK != OIDC_parse_authz_code (&cid, code, &ticket, &cl, &nonce)) | 1726 | if (GNUNET_OK != OIDC_parse_authz_code (privkey, code, &ticket, &cl, &nonce)) |
1719 | { | 1727 | { |
1720 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST); | 1728 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST); |
1721 | handle->edesc = GNUNET_strdup ("invalid code"); | 1729 | handle->edesc = GNUNET_strdup ("invalid code"); |
@@ -1739,13 +1747,6 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1739 | 1747 | ||
1740 | 1748 | ||
1741 | // TODO OPTIONAL acr,amr,azp | 1749 | // TODO OPTIONAL acr,amr,azp |
1742 | if (GNUNET_NO == ego_exists (handle, &ticket.audience)) | ||
1743 | { | ||
1744 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_REQUEST); | ||
1745 | handle->edesc = GNUNET_strdup ("invalid code..."); | ||
1746 | handle->response_code = MHD_HTTP_BAD_REQUEST; | ||
1747 | GNUNET_SCHEDULER_add_now (&do_error, handle); | ||
1748 | } | ||
1749 | if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg, | 1750 | if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg, |
1750 | "reclaim-rest-plugin", | 1751 | "reclaim-rest-plugin", |
1751 | "jwt_secret", | 1752 | "jwt_secret", |
@@ -1827,9 +1828,8 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1827 | char *authorization_type; | 1828 | char *authorization_type; |
1828 | char *authorization_access_token; | 1829 | char *authorization_access_token; |
1829 | struct GNUNET_RECLAIM_Ticket *ticket; | 1830 | struct GNUNET_RECLAIM_Ticket *ticket; |
1831 | const struct EgoEntry *ego_entry; | ||
1830 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *privkey; | 1832 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *privkey; |
1831 | struct GNUNET_CRYPTO_EcdsaPublicKey pk; | ||
1832 | |||
1833 | 1833 | ||
1834 | GNUNET_CRYPTO_hash (OIDC_AUTHORIZATION_HEADER_KEY, | 1834 | GNUNET_CRYPTO_hash (OIDC_AUTHORIZATION_HEADER_KEY, |
1835 | strlen (OIDC_AUTHORIZATION_HEADER_KEY), | 1835 | strlen (OIDC_AUTHORIZATION_HEADER_KEY), |
@@ -1888,15 +1888,8 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1888 | ticket = | 1888 | ticket = |
1889 | GNUNET_CONTAINER_multihashmap_get (OIDC_access_token_map, &cache_key); | 1889 | GNUNET_CONTAINER_multihashmap_get (OIDC_access_token_map, &cache_key); |
1890 | GNUNET_assert (NULL != ticket); | 1890 | GNUNET_assert (NULL != ticket); |
1891 | 1891 | ego_entry = find_ego (handle, &ticket->audience); | |
1892 | for (handle->ego_entry = handle->ego_head; NULL != handle->ego_entry; | 1892 | if (NULL == ego_entry) |
1893 | handle->ego_entry = handle->ego_entry->next) | ||
1894 | { | ||
1895 | GNUNET_IDENTITY_ego_get_public_key (handle->ego_entry->ego, &pk); | ||
1896 | if (0 == GNUNET_memcmp (&pk, &ticket->audience)) | ||
1897 | break; // Found | ||
1898 | } | ||
1899 | if (NULL == handle->ego_entry) | ||
1900 | { | 1893 | { |
1901 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_TOKEN); | 1894 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_TOKEN); |
1902 | handle->edesc = GNUNET_strdup ("The access token expired"); | 1895 | handle->edesc = GNUNET_strdup ("The access token expired"); |
@@ -1910,9 +1903,8 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
1910 | handle->oidc->response = json_object (); | 1903 | handle->oidc->response = json_object (); |
1911 | json_object_set_new (handle->oidc->response, | 1904 | json_object_set_new (handle->oidc->response, |
1912 | "sub", | 1905 | "sub", |
1913 | json_string (handle->ego_entry->keystring)); | 1906 | json_string (ego_entry->keystring)); |
1914 | privkey = GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego); | 1907 | privkey = GNUNET_IDENTITY_ego_get_private_key (ego_entry->ego); |
1915 | |||
1916 | handle->idp_op = GNUNET_RECLAIM_ticket_consume (handle->idp, | 1908 | handle->idp_op = GNUNET_RECLAIM_ticket_consume (handle->idp, |
1917 | privkey, | 1909 | privkey, |
1918 | ticket, | 1910 | ticket, |